AD Starter Scan - Kerberos Pre-authentication Validation

medium Nessus Plugin ID 150482
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

Kerberos pre-authentication is disabled on a user account.

Description

Active Directory uses the Kerberos protocol for authentication. As it is an old protocol, numerous security hardening measures have been taken since its creation, and some legacy options must be disabled to ensure proper security posture.

An attacker can use the AS-REP Roasting attack to guess the users' passwords. The first part of the AS-REP Roasting attack is to identify users for whom the Kerberos pre-authentication is not set (DONT_REQ_PREAUTH). This is part of the userAccountControl attribute.

Without Kerberos pre-authentication, an attacker can send an authentication request (AS-REQ) to the KDC on behalf of the user. The KDC will then reply with an encrypted TGT (AS-REP). A part of the AS-REP is encrypted with the original user's key, derived from their own password. The attacker can then use offline bruteforcing to guess the password. This attack is much faster than online bruteforcing (e.g. by making numerous authentication requests with different passwords).

Pre-authentication forces the attacker to be in possession of the password (by having to encrypt a timestamp) before the KDC sends back the encrypted TGT.

By default, this check skips disabled accounts. To also check disabled accounts, please enable thorough tests.

Note: This plugin is part of the Active Directory Starter Scan Template and is meant to be used for preliminary analysis of AD hosts. For more information on the issues discovered by the Active Directory Starter Scan plugins, please refer to this blog post - https://www.tenable.com/blog/new-in-nessus-find-and-fix-these-10-active-directory-misconfigurations

Solution

Accounts should be configured to use Kerberos pre-authentication.
This is the case by default nowadays, but some legacy accounts might not use it.

See Also

http://www.nessus.org/u?14c411d0

https://tools.ietf.org/html/rfc4120

https://www.kerberos.org/software/tutorial.html

https://attack.mitre.org/techniques/T1558/004/

http://www.nessus.org/u?d5c4c81f

Plugin Details

Severity: Medium

ID: 150482

File Name: adsi_kerberos_pre_auth.nbin

Version: 1.10

Type: local

Agent: windows

Family: Windows

Published: 7/29/2021

Updated: 9/20/2021

Dependencies: adsi_enum.nbin

Risk Information

CVSS Score Source: manual

CVSS Score Rationale: Score based on an in-depth analysis by tenable.

CVSS v2

Risk Factor: Medium

Base Score: 4.1

Vector: AV:L/AC:M/Au:S/C:P/I:P/A:P

CVSS v3

Risk Factor: Medium

Base Score: 4.5

Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

Vulnerability Information

CPE: cpe:/a:microsoft:active_directory

Required KB Items: Secret/adsi/username/0, Secret/adsi/password/0, adsi/host/0, adsi/domain/0, adsi_enum_users_and_groups/available